SEC Rule Requires Companies to Report Cyber Hacks Within 4 Days

The new rule adopted by the SEC requires all registrants to disclose nature, scope, timing and material impact of cyber hacks
SEC cyber rule
Image Credit: © Andrii Yalanskyi | Dreamstime.com

The Securities and Exchange Commission (SEC) adopted a new rule on Wednesday requiring registrants to disclose details of cyberattacks within four business days after a hack is identified as “material.”

“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The new requirement mandates that all registrants, including publicly traded companies and foreign private issuers, reveal the hack’s nature, scope, timing, and material impact to investors. However, the disclosure may be delayed up to 60 days if it’s determined it would pose a “substantial risk to national security or public safety.” In this case, registrants would have to notify the SEC of the delay in writing.

Registrants will also be required to disclose material information regarding their cybersecurity risk management practices, strategies, and governance on an annual basis. Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or “reasonably likely material effects” of risks from cybersecurity threats and previous cybersecurity incidents, said the government agency.

The SEC will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats, and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

The final rules will become effective 30 days following publication of the rule in the Federal Register, according to the SEC.

The new rule comes at a time when more companies face cyber risk and exposure to investors’ personal information. Earlier this month, a data breach exposed the names, Social Security numbers, dates of birth, and mailing addresses of close to 172,000 retirees and beneficiaries in the Tennessee Consolidate Retirement System (TCRS).

Just a few weeks before in June, a third-party cyber hack impacted 769,000 retirees in the California Public Employees’ Retirement System (CalPERS), compromising names, birth dates, and Social Security numbers.

SEE ALSO:

Amanda Umpierrez
+ posts

Amanda Umpierrez is the Managing Editor of 401(k) Specialist magazine. She is a financial services reporter with over six years of experience and a passion for telling stories and reporting news. Amanda received her degree in journalism and government and politics at St. John’s University. She is originally from Queens, New York, but now resides in Denver, Colorado with her partner. In her free time, Amanda enjoys running, cooking, and watching the latest drama show.

Related Posts
Total
0
Share